Exploitation of a Hardened MSP430-Based Device
This presentation walks through the reverse-engineering and exploitation of a hardened embedded device and provides certain techniques you can use to exploit similar devices. As MSP430 devices become more common, it is slowly becoming the norm to encounter devices in production with blown JTAG fuses. Previously, this was a significant hurdle. In 2008, Goodspeed described several attacks against the MSP's BSL (bootstrap loader). This presentation will review those attacks and describe the challenges facing a researcher attempting to perform them. This presentation will demonstrate how to reliably perform successful firmware extraction on a MSP430 with a blown JTAG fuse. Additionally, the presentation will cover what you might see while reverse-engineering MSP430 firmware. Finally, it will describe a software-only attack that uses a feature of BSL to extract sensitive data from RAM.
Braden is a Senior Research Scientist at Accuvant, where he focuses on embedded devices, reverse engineering, and exploit development. His work at Accuvant has covered the medical device and smart meter industries. Prior to Accuvant, he worked as a Product Security Engineer at Apple for six years. At Apple, Braden focused on increasing the internal fuzzing throughput and coverage, as well as performing proactive security reviews for many high-profile features.